We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Article 29 Working Party - Transparency

The Article 29 Working Party (WP29), the representative group of data protection authorities across the EU, has issued guidance on the principle of transparency established in the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.

Transparency requirements oblige data controllers to provide information to data subjects on their rights, to be transparent in communications with data subjects, and to facilitate the exercise of data subjects’ rights under the GDPR.

The guidance sets out that the GDPR requires any information or communication relating to the processing of personal data to be provided:

In a concise, transparent, intelligible and easily accessible form;

Using clear and plain language;

In writing, or by other means, including, where appropriate, by electronic means;

The GDPR requires information be presented in a manner clearly differentiated from other non-privacy related information. Controllers should provide unambiguous information on the most important consequences of the processing on the data subject. They should not have to seek it out.

“Clear and plain language”

Best practices for clear writing are preferred under the GDPR. Any language used must be concrete and definitive. Overly legalistic, technical or specialist language and terminology should not be presented to the data subject.

“In writing or by other means”

The default position for the provision of information under the GDPR is that the information is in written form.

“The information may be provided orally”

The provision of oral information does not necessarily require it to be done in person or by telephone. The WP29 has noted that automated oral information may be provided in addition to written means, such as in the context of persons who are visually impaired.

“Free of charge”

Under the GDPR, controllers cannot charge data subjects for the provision of information or for communications to data subjects.

Format of Information

The WP29 has given examples of the appropriate form the information should take:

Layered Privacy Statements/Notices

Privacy dashboards and pop-up notices

Visualisation tools

Other appropriate means of communication such as postal contracts, person-to-person interaction, or messages sent by email.

Data Subjects’ Rights

The GDPR also requires controllers to allow for data subjects’ to be “meaningfully” positioned to make data requests and that they should provide means to make the request electronically. Where the data subject and controller interact in different ways, a data controller should wish to provide different means for a data subject to exercise their rights.

Conclusion

Although the WP29’s guidance is non-binding, the guidelines are helpful to ensure that data controllers are GDPR-compliant in the run-up to 25 May. The concept of transparency in the GDPR is user-centric, so controllers must ensure that information and communications are understandable from the perspective of a data subject and are not jargon-heavy. Furthermore, controllers must make sure that data subjects’ rights under the GDPR are clearly communicated to them.

Compare jurisdictions: Data Security & Cybercrime

“I enjoy the CLANZ newsstand and find it highly relevant to my job. I definitely have forwarded various articles to my colleagues on occasion where there is a point of general interest, particularly employment or IT law. I really appreciate the service, it's a quick way for me to keep up to date in a way I wouldn't otherwise have time to.”